Talos Vulnerability Report

TALOS-2016-0161

Oracle OIT libim_psi2 psiparse Code Execution Vulnerability

July 19, 2016

CVE Number

CVE-2016-3594

Description

A memory corruption vulnerability exists in file parsing code of
Oracle Outside In Technology libim_psi2 library. Specifically, a
integer overflow leading to an undersized memory allocation and a
memory copy operation leading to buffer overflow in psiparse function can
write 8 controlled bytes into adjacent memory, possibly leading to code execution.

Tested Versions

Oracle Outside In Technology Content Access SDK 8.5.1.

Product URLs

Details

While parsing a PSI image file, a 2 byte size field is read and sign extended.
This value is then used in memory allocation and a subsequent memmove call.
Read size value is increased by 8 before an actuall memory area is allocated,
but the original size is used in memmove call.

As an example, the vulnerability is triggered in the ixsample demo application
supplied in the SDK.

PSI file is being parsed by parsepsi function. Vulnerability occurs around the following
code:

At [1] size read from a file is used as size argument to a memory allocation function
called at [2]. At [3] size is used as an argument to a function called at [4].
In the vulnerable process path, function called at [4] is located at offset 0xad3dc
into libim_pis2 library which, in essence, is a memmove wrapper.

Size argument is parsed in PSCAN_Next function. Specifically, a function at offset
0x904ab:

In the supplied testcase, big endian 0xFFF9 is being sign extended into info
0xFFFFFFF9 which gets overflown by adding 8 during memory allocation function
passing the checks, but leads to a crash during memmove.

It is worth noting, the buffer that is being copied during memmove is located
just after he 2 byte size value in the supplied crashing testcase.